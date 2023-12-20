US Federal Bureau of Investigation (FBI) today revealed that it has infiltrated the world’s second largest ransomware ring, a Russia-based criminal group. alphavi And Black Cat, The FBI said it had seized the gang’s darknet website, and released a decryption tool that hundreds of victimized companies could use to recover systems. Blackcat, meanwhile, responded by briefly “unscaling” its darknet site with a message offering 90 percent commissions for affiliates who continue to work with the crime group and on everything from hospitals to nuclear power plants. Open season was promised.

Whispers of possible law enforcement action against BlackCat came in the first week of December, when the ransomware group’s darknet site went offline and was unavailable for nearly five days. BlackCat eventually managed to get its site back online by attributing the outage to equipment failure,

But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida issued a search warrant detailing how FBI agents were able to gain access to and disrupt the group’s operations. .

A statement on the operation from US Department of Justice says the FBI has developed a decryption tool that has allowed the agency’s field offices and partners globally to provide more than 500 affected victims the ability to restore their systems.

“With decryption tools provided by the FBI to hundreds of ransomware victims around the world, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa O. monaco Said. “We will continue to prioritize disruption and put victims at the center of our strategy to dismantle the ecosystem that enables cybercrime.”

The DOJ reports that since BlackCat’s formation approximately 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. Blackcat attacks typically involve encryption and theft of data; If victims refuse to pay the ransom, the attackers usually publish the stolen data on a Blackcat-linked darknet site.

BlackCat was formed by recruiting operators from several competing or disbanded ransomware organizations – including REvil, Blackmatter, and DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021, which led to nationwide fuel shortages and price hikes.

Like many other ransomware operations, BlackCat operates under a “ransomware-as-a-service” model, where teams of developers maintain and update the ransomware code as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets as they typically receive 60-80 percent of any payout, while the remainder goes to the crooks running the ransomware operation.

Blackcat managed to briefly regain control of its darknet servers today. Shortly after the FBI’s seizure notice went live the homepage was “unsealed” and re-fitted with a statement about the incident from the ransomware group’s perspective.

BlackCat claimed that the FBI’s operation touched only a portion of its operation, and that an additional 3,000 victims would no longer have the option to obtain decryption keys as a result of the FBI’s actions. The group also said it was formally removing any restrictions or discouragements against targeting hospitals or other critical infrastructure.

“Because of their actions, we are introducing new rules, or rather we are removing all the rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States], “Now you can block hospitals, nuclear power plants, anything, anywhere.”

The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be intimidated by the FBI’s recent intrusions. Blackcat also promised that under this new plan all “advertisers” will manage their affiliate accounts from data centers that are completely isolated from each other.

BlackCat’s darknet site currently displays an FBI seizure notice. but as bleepingcomputer founded by Lawrence Abrams It has been reported on Mastodon that both the FBI and Blackcat have private keys tied to the Tor hidden service URLs for Blackcat’s victim shaming and data leaking site.

“Whoever is the latest to publish the hidden service to Tor (in this case the Blackcat data leak site) will resume control over the URL,” Abrams said. “Expect to see this kind of back-and-forth over the next few days.”

The DOJ says anyone with information about Blackcat associates or their activities may be eligible for a reward of up to $10 million through the State Department’s “Rewards for Justice” program, which runs a Tor-based tip line. Accepts submissions via Tor (access to the site is only possible using the Tor browser).

Read further: CISA StopRansomware Alert on tools, techniques, and processes used by ALPHV/BlackCat.

Source: krebsonsecurity.com